Support #5298

Avatar?id=1733&size=50

[SCP IP ##2656## : Epay Txn Failed]

Added by Ahmad Hazri over 9 years ago. Updated about 9 years ago.

Status:Closed - End of life cycleStart date:April 30, 2015
Priority:NormalDue date:
Assignee:Zahir Abd Latif% Done:

100%

Category:MY RIBSpent time:-
Target version:-

Description

Epay transaction failed after the EPAY New Web Service / JVM memory upgrade activity done on 29/04/2015 - 30/04/2015. Kindly assist to check. Attached is the nohup log for your perusal.

History

#1 Updated by Ngoh Chee Ping over 9 years ago

  • Status changed from New - Begin Life Cycle to Development / Work In Progress
  • Assignee changed from Ngoh Chee Ping to Ahmad Hazri

This issue is related to the new epay webservice URL updated yesterday. Now need KFH to install the new SSL certificate for the new epay URL. Hazri is helping KFH for this case.

#2 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

Working with shikin:
  • Shikin to get requirement for the new web service URL from ePay.
  • Suspecting the new URL is using new SSL cert.
  • According to her this might due to SSLv3 no longer supported.

#3 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

Confirmed by Shikin that epay is no longer supporting SSL protocols (regardless version) and supporting only TLS 1 and above).
Currently checking with WebLogic support for this issue.

#4 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

Set WebLogic to use TLS1 only protocol
Both OLD and NEW ePay URL given the same ssl error message.

Dev:
————
OLD:
https://58.26.9.22:22837/willani/services/oglws
https://58.26.9.22:22837/willani/services/oglws2

NEW:
————
https://wstest.oriongateway.com:22837/willani/services/oglws
IP Address: 219.92.28.137

#5 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

Summarily:

Error message: Invalid SSL Header
Based on Oracle Knowledge Document, it can coz by multiple case

1) Using protocol not supported by Weblogic. (supported protocol SSLv3 and TLS 1.0)
2) Using Microsoft ISA server or Window Load Balancer

Workaround
1) Enable only TLS1 at WebLogic level - tested in Stg but doesnt work
2) Using JSSE protocol - Not supported in current version of KFH's ESB

Moving forward, will test using SoapUI in laptop to direct conect epay

#6 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

Status

For this Warning

<Warning> <Security> <BEA-090565> <The server SSL identity key algorithm DSA is not supported.>

- updating the Identity store to RSA algorithm.

For this error message

<BAD_CERTIFICATE alert was received from wstest.oriongateway.com - 219.92.28.137. Check the peer to determine why it rejected the certificate chain (trusted CA configuration, hostname verification). SSL debug tracing may be required to determine the exact reason the certificate was rejected.>

- Request shikin to forward the error message to epay for confirmation.

#7 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

New issue occur

<Error> <ALSB Kernel> <BEA-380001> <Exception on TransportManagerImpl.sendMessageToService, com.bea.wli.sb.transports.TransportException: com.bea.wli.sb.security.CredentialNotFoundException
com.bea.wli.sb.transports.TransportException: com.bea.wli.sb.security.CredentialNotFoundException

com.bea.wli.sb.transports.TransportException: No SSL certificates present

Cause: Service Provider Key corrupted. Need to recreate.

Note: Awaiting reply by Shikin. Due to Production issue, most IT team is not available.

#8 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

Oracle is a joke, their response only asking the debug log which been provided and after log given took a week to response or none at all.

Try and error every step found in My Oracle Support (MOS) Portal. See any progress today.

#9 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

Since ePay insist on 2-way SSL, regenerating the KFHIdentity.jks file after found out the keystore has been generated with DSA algorithm (unsupported by WebLogic server).
Both ePay and KFH are using self-signed certificate.

KFH self-signed certificate:

CN=www.kfhonline.com.my,OU=IT,O=KFHMB,L=KL,ST=WP,C=MY


expired : 05/Oct/2023 13:43:12 MYT

RSA 2048 bits

All previous imported certificate, ePay, MobilityOne are reimported.

Awaiting Shikin to restart ESB staging...

#10 Avatar?id=1733&size=24 Updated by Ahmad Hazri over 9 years ago

  • Status changed from Development / Work In Progress to Pending Customer Feedback

Manage to connect to epay with 2-way SSL using new generated certificate.
Pending Shikin to retest and verify with epay

#11 Updated by Zahir Abd Latif about 9 years ago

  • Status changed from Pending Customer Feedback to Closed - End of life cycle
  • Assignee changed from Ahmad Hazri to Zahir Abd Latif
  • % Done changed from 0 to 100

Related to [Request ID :##2648##] : ePay new URL
- Case resolved

Issue closed in SCP.

Also available in: Atom PDF